The campaign of former Sen. Norm Coleman has alerted donors that a database containing personal data, including credit card numbers, has been circulating on the Internet.
Minnesota has a number of consumer protection laws that govern the use of personal information, which has raised questions about whether the Coleman campaign has violated state law.
Coleman attorney Fritz Knaak told AP yesterday that he’s confident the campaign complied with the law. But concerns have surfaced particularly about when the campaign notified those whose data had been exposed and what credit card information it kept on its database.
According to the Coleman’s campaign’s newly posted FAQ about the database breach, the campaign knew or at least suspected that the data had been exposed in January.
“We had reason to believe that someone had illegally accessed our website in late January,” the FAQ states. “At that time we immediately notified the Secret Service. They conducted an initial forensics review of our server and concluded that there was no evidence that any private or confidential information had been downloaded.”
Minnesota statute says that when “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person,” it must be disclosed “in the most expedient time possible and without unreasonable delay” to the people whose data was acquired.
Hamline University law professor David Schultz says not alerting the donors in January could have been illegal.
“[Coleman’s] campaign potentially violated state law by not promptly notifying card holders of the disclosure of their card info,” Schultz told Talking Points Memo. “Assume the campaign did suffer a breach in security, his campaign faces fines under state law and it is possible a card holder could sue the campaign for any damages. It would be hard for the donors to sue Coleman personally and prevail.”
Coleman’s campaign also retained to the verification codes listed on the backs of donors’ credit cards, according to the databases. The FAQ also notes, “The only information … made public so far [from the leaked version of the database] are the last four digits of individual’s cards and the security code on the card.” Under a law passed in 2007, retaining those numbers is prohibited:
“No person or entity conducting business in Minnesota… shall retain the card security code data, the PIN verification code data, or the full contents of any track of magnetic stripe data,” says state statute 325E.64. “A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction.”
Jay Lim, a spokesman for Wikileaks, told the AP yesterday, “Coleman should not have kept this information” and that “his team should not have released the information out onto the open Internet for anyone to download.”
“[Coleman] should have informed those concerned,” Lim said. “We shouldn’t have had to do it for him.”